Yair Zaslavsky has uploaded a new change for review. Change subject: core: Fix Audit log and can do action msgs handling in ldap broker. ......................................................................
core: Fix Audit log and can do action msgs handling in ldap broker. Audit log handling for login failures was extracted to the BLL command of LoginBaseCommand. Based on the AuthenticationResult enum, the Ldap broker throws a proper AAAExtensionException which is translated to both audit log and can do action message (VdcBllMessage) at LoginBaseCommand. Proper VdcBllMessagwes were added where needed. Change-Id: I8b0b024d27a92f620bb60e4689264bc6b3c3eda1 Signed-off-by: Yair Zaslavsky <[email protected]> --- M backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/PasswordAuthenticator.java M backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/internal/InternalAuthenticator.java D backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/nop/NopAuthenticationResult.java M backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/nop/NopAuthenticator.java D backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/result/BooleanAuthenticationResult.java D backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/aaa/provisional/ProvisionalAuthenticationResult.java M backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/aaa/provisional/ProvisionalAuthenticator.java M backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/InitBackendServicesOnStartupBean.java M backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/LoginBaseCommand.java M backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/adbroker/GSSAPIDirContextAuthenticationStrategy.java M backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/adbroker/LdapAuthenticateUserCommand.java M backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/adbroker/LdapBrokerCommandBase.java M backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/adbroker/LdapSearchExceptionHandler.java M backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/errors/VdcBllMessages.java M backend/manager/modules/dal/src/main/resources/bundles/AppErrors.properties M backend/manager/modules/extensions-api-root/extensions-api/src/main/java/org/ovirt/engine/api/extensions/AAAExtensionException.java M backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/kerberos/AuthenticationResult.java M frontend/webadmin/modules/frontend/src/main/java/org/ovirt/engine/ui/frontend/AppErrors.java M frontend/webadmin/modules/userportal-gwtp/src/main/resources/org/ovirt/engine/ui/frontend/AppErrors.properties M frontend/webadmin/modules/webadmin/src/main/resources/org/ovirt/engine/ui/frontend/AppErrors.properties 20 files changed, 171 insertions(+), 243 deletions(-) git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/29/25529/1 diff --git a/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/PasswordAuthenticator.java b/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/PasswordAuthenticator.java index 73a0203..59e4dc3 100644 --- a/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/PasswordAuthenticator.java +++ b/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/PasswordAuthenticator.java @@ -15,7 +15,7 @@ * @param name * the name of user being authenticated * @param password - * @return AuthenticationResult object that holds the authentication result + * @return true if authenticated */ - public abstract AuthenticationResult authenticate(String name, String password); + public abstract boolean authenticate(String name, String password); } diff --git a/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/internal/InternalAuthenticator.java b/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/internal/InternalAuthenticator.java index 1aace46..3a0107e 100644 --- a/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/internal/InternalAuthenticator.java +++ b/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/internal/InternalAuthenticator.java @@ -1,9 +1,7 @@ package org.ovirt.engine.core.aaa.internal; import org.apache.commons.lang.ObjectUtils; -import org.ovirt.engine.core.aaa.AuthenticationResult; import org.ovirt.engine.core.aaa.PasswordAuthenticator; -import org.ovirt.engine.core.aaa.result.BooleanAuthenticationResult; import org.ovirt.engine.core.common.config.Config; import org.ovirt.engine.core.common.config.ConfigValues; import org.slf4j.Logger; @@ -19,11 +17,11 @@ private static final Logger log = LoggerFactory.getLogger(InternalAuthenticator.class); @Override - public AuthenticationResult authenticate(String user, String password) { + public boolean authenticate(String user, String password) { String adminName = Config.<String> getValue(ConfigValues.AdminUser); String adminPassword = Config.<String> getValue(ConfigValues.AdminPassword); - return new BooleanAuthenticationResult(ObjectUtils.equals(user, adminName) && - ObjectUtils.equals(password, adminPassword)); + return ObjectUtils.equals(user, adminName) && + ObjectUtils.equals(password, adminPassword); } @Override diff --git a/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/nop/NopAuthenticationResult.java b/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/nop/NopAuthenticationResult.java deleted file mode 100644 index 1e85b9d..0000000 --- a/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/nop/NopAuthenticationResult.java +++ /dev/null @@ -1,22 +0,0 @@ -package org.ovirt.engine.core.aaa.nop; - -import java.util.Collections; -import java.util.List; - -import org.ovirt.engine.core.aaa.AuthenticationResult; - -public class NopAuthenticationResult extends AuthenticationResult { - - public NopAuthenticationResult() { - } - - @Override - public boolean isSuccessful() { - return true; - } - - @Override - public List<String> resolveMessage() { - return Collections.emptyList(); - } -} diff --git a/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/nop/NopAuthenticator.java b/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/nop/NopAuthenticator.java index dcf9ceb..993b13b 100644 --- a/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/nop/NopAuthenticator.java +++ b/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/nop/NopAuthenticator.java @@ -1,6 +1,5 @@ package org.ovirt.engine.core.aaa.nop; -import org.ovirt.engine.core.aaa.AuthenticationResult; import org.ovirt.engine.core.aaa.PasswordAuthenticator; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -15,8 +14,8 @@ } @Override - public AuthenticationResult authenticate(String name, String password) { - return new NopAuthenticationResult(); + public boolean authenticate(String name, String password) { + return true; } @Override diff --git a/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/result/BooleanAuthenticationResult.java b/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/result/BooleanAuthenticationResult.java deleted file mode 100644 index a778290..0000000 --- a/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/result/BooleanAuthenticationResult.java +++ /dev/null @@ -1,26 +0,0 @@ -package org.ovirt.engine.core.aaa.result; - -import java.util.Collections; -import java.util.List; - -import org.ovirt.engine.core.aaa.AuthenticationResult; - -public class BooleanAuthenticationResult extends AuthenticationResult { - - private boolean value; - - public BooleanAuthenticationResult(boolean value) { - this.value = value; - } - - @Override - public boolean isSuccessful() { - return value; - } - - @Override - public List<String> resolveMessage() { - return Collections.emptyList(); - } - -} diff --git a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/aaa/provisional/ProvisionalAuthenticationResult.java b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/aaa/provisional/ProvisionalAuthenticationResult.java deleted file mode 100644 index ce2da32..0000000 --- a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/aaa/provisional/ProvisionalAuthenticationResult.java +++ /dev/null @@ -1,88 +0,0 @@ -package org.ovirt.engine.core.aaa.provisional; - -import java.io.UnsupportedEncodingException; -import java.net.URLDecoder; -import java.util.ArrayList; -import java.util.HashMap; -import java.util.Iterator; -import java.util.List; -import java.util.Map; - -import org.ovirt.engine.core.aaa.AuthenticationResult; -import org.ovirt.engine.core.bll.adbroker.UserAuthenticationResult; -import org.ovirt.engine.core.common.config.Config; -import org.ovirt.engine.core.common.config.ConfigValues; -import org.ovirt.engine.core.common.errors.VdcBllMessages; -import org.ovirt.engine.core.utils.log.Log; -import org.ovirt.engine.core.utils.log.LogFactory; - -public class ProvisionalAuthenticationResult extends AuthenticationResult { - - - private volatile static Map<String, String> passwordChangeMsgPerDomain = null; - private String domain; - private UserAuthenticationResult authResult; - private static Log log = LogFactory.getLog(ProvisionalAuthenticationResult.class); - - - public ProvisionalAuthenticationResult(String domain, UserAuthenticationResult userAuthResult) { - this.authResult = userAuthResult; - if (passwordChangeMsgPerDomain == null) { - synchronized (ProvisionalAuthenticationResult.class) { - if (passwordChangeMsgPerDomain == null) { - passwordChangeMsgPerDomain = new HashMap<String, String>(); - String changePasswordUrl = Config.<String> getValue(ConfigValues.ChangePasswordMsg); - String[] pairs = changePasswordUrl.split(","); - for (String pair : pairs) { - // Split the pair in such a way that if the URL contains :, it will not be split to strings - String[] pairParts = pair.split(":", 2); - if (pairParts.length >= 2) { - try { - passwordChangeMsgPerDomain.put(pairParts[0], URLDecoder.decode(pairParts[1], "UTF-8")); - } catch (UnsupportedEncodingException e) { - log.error("Eror in decoding the change password message/url. Message is: " - + e.getMessage()); - log.debug("", e); - } - } - } - } - } - } - this.domain = domain; - - } - - @Override - public boolean isSuccessful() { - return authResult.isSuccessful(); - } - - @Override - public List<String> resolveMessage() { - Iterator<VdcBllMessages> it = authResult.getErrorMessages().iterator(); - List<String> result = new ArrayList<>(); - while (it.hasNext()) { - VdcBllMessages current = it.next(); - if (current == VdcBllMessages.USER_PASSWORD_EXPIRED) { - String passwordChangeMsg = passwordChangeMsgPerDomain.get(domain); - if (passwordChangeMsg != null) { - if (passwordChangeMsg.indexOf("http") == 0 || passwordChangeMsg.indexOf("https") == 0) { - result.add(VdcBllMessages.USER_PASSWORD_EXPIRED_CHANGE_URL_PROVIDED.name()); - result.add(String.format("$URL %1$s", passwordChangeMsg)); - } else { - result.add(VdcBllMessages.USER_PASSWORD_EXPIRED_CHANGE_MSG_PROVIDED.name()); - result.add(String.format("$MSG %1$s", passwordChangeMsg)); - } - } else { - result.add(current.name()); - } - } else { - result.add(current.name()); - - } - } - return result; - } - -} diff --git a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/aaa/provisional/ProvisionalAuthenticator.java b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/aaa/provisional/ProvisionalAuthenticator.java index a9eeaa5..2eb9ceb 100644 --- a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/aaa/provisional/ProvisionalAuthenticator.java +++ b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/aaa/provisional/ProvisionalAuthenticator.java @@ -1,13 +1,11 @@ package org.ovirt.engine.core.aaa.provisional; -import org.ovirt.engine.core.aaa.AuthenticationResult; import org.ovirt.engine.core.aaa.PasswordAuthenticator; import org.ovirt.engine.core.bll.adbroker.AdActionType; import org.ovirt.engine.core.bll.adbroker.LdapBroker; import org.ovirt.engine.core.bll.adbroker.LdapFactory; import org.ovirt.engine.core.bll.adbroker.LdapReturnValueBase; import org.ovirt.engine.core.bll.adbroker.LdapUserPasswordBaseParameters; -import org.ovirt.engine.core.bll.adbroker.UserAuthenticationResult; /** * This authenticator implementation is a bridge between the new directory interface and the existing LDAP @@ -42,13 +40,12 @@ * {@inheritDoc} */ @Override - public AuthenticationResult authenticate(String name, String password) { + public boolean authenticate(String name, String password) { LdapReturnValueBase ldapResult = broker.runAdAction( AdActionType.AuthenticateUser, new LdapUserPasswordBaseParameters(getProfileName(), name, password) ); - UserAuthenticationResult authResult = (UserAuthenticationResult) ldapResult.getReturnValue(); - return new ProvisionalAuthenticationResult(getProfileName(), authResult); + return ldapResult.getSucceeded(); } } diff --git a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/InitBackendServicesOnStartupBean.java b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/InitBackendServicesOnStartupBean.java index fd9edda..abc656a 100644 --- a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/InitBackendServicesOnStartupBean.java +++ b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/InitBackendServicesOnStartupBean.java @@ -85,6 +85,7 @@ } AuthenticationProfileRepository.getInstance(); + LoginBaseCommand.init(); UsersDomainsCacheManagerService.getInstance().init(); AsyncTaskManager.getInstance().initAsyncTaskManager(); diff --git a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/LoginBaseCommand.java b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/LoginBaseCommand.java index 5bd6b3c..a1e15d3 100644 --- a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/LoginBaseCommand.java +++ b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/LoginBaseCommand.java @@ -1,17 +1,24 @@ package org.ovirt.engine.core.bll; +import java.io.UnsupportedEncodingException; +import java.net.URLDecoder; import java.util.Collections; +import java.util.EnumMap; +import java.util.HashMap; import java.util.List; +import java.util.Map; import org.apache.commons.lang.StringUtils; +import org.ovirt.engine.api.extensions.AAAExtensionException; +import org.ovirt.engine.api.extensions.AAAExtensionException.ExtensionError; import org.ovirt.engine.core.aaa.AuthenticationProfile; import org.ovirt.engine.core.aaa.AuthenticationProfileRepository; -import org.ovirt.engine.core.aaa.AuthenticationResult; import org.ovirt.engine.core.aaa.Authenticator; import org.ovirt.engine.core.aaa.Directory; import org.ovirt.engine.core.aaa.DirectoryUser; import org.ovirt.engine.core.aaa.DirectoryUtils; import org.ovirt.engine.core.aaa.PasswordAuthenticator; +import org.ovirt.engine.core.bll.adbroker.LdapBrokerUtils; import org.ovirt.engine.core.bll.session.SessionDataContainer; import org.ovirt.engine.core.bll.utils.PermissionSubject; import org.ovirt.engine.core.common.AuditLogType; @@ -20,6 +27,8 @@ import org.ovirt.engine.core.common.action.LoginUserParameters; import org.ovirt.engine.core.common.action.VdcLoginReturnValueBase; import org.ovirt.engine.core.common.businessentities.DbUser; +import org.ovirt.engine.core.common.config.Config; +import org.ovirt.engine.core.common.config.ConfigValues; import org.ovirt.engine.core.common.errors.VdcBllMessages; import org.ovirt.engine.core.compat.Guid; import org.ovirt.engine.core.utils.log.Log; @@ -28,6 +37,46 @@ public abstract class LoginBaseCommand<T extends LoginUserParameters> extends CommandBase<T> { protected static final Log log = LogFactory.getLog(LoginBaseCommand.class); + + private static final EnumMap<ExtensionError, AuditLogType> auditLogMap = new EnumMap<>(ExtensionError.class); + private static final Map<String, String> passwordChangeMsgPerDomain = new HashMap<>(); + private static final Map<ExtensionError, VdcBllMessages> vdcBllMessagesMap = new HashMap<>(); + + + //Called from InitOnStartup service + public static void init() { + auditLogMap.put(ExtensionError.CREDENTIALS_EXPIRED, AuditLogType.USER_ACCOUNT_PASSWORD_EXPIRED); + auditLogMap.put(ExtensionError.GENERAL_ERROR, AuditLogType.USER_VDC_LOGIN_FAILED); + auditLogMap.put(ExtensionError.INCORRET_CREDENTIALS, AuditLogType.AUTH_FAILED_INVALID_CREDENTIALS); + auditLogMap.put(ExtensionError.LOCKED_OR_DISABLED_ACCOUNT, AuditLogType.USER_ACCOUNT_DISABLED_OR_LOCKED); + auditLogMap.put(ExtensionError.TIMED_OUT, AuditLogType.AUTH_FAILED_CONNECTION_TIMED_OUT); + auditLogMap.put(ExtensionError.SERVER_IS_NOT_AVAILABLE, AuditLogType.AUTH_FAILED_CONNECTION_ERROR); + + vdcBllMessagesMap.put(ExtensionError.GENERAL_ERROR, VdcBllMessages.USER_FAILED_TO_AUTHENTICATE); + vdcBllMessagesMap.put(ExtensionError.INCORRET_CREDENTIALS, VdcBllMessages.USER_FAILED_TO_AUTHENTICATE_WRONG_USERNAME_OR_PASSWORD); + vdcBllMessagesMap.put(ExtensionError.LOCKED_OR_DISABLED_ACCOUNT, VdcBllMessages.USER_ACCOUNT_DISABLED); + vdcBllMessagesMap.put(ExtensionError.SERVER_IS_NOT_AVAILABLE, VdcBllMessages.USER_FAILED_TO_AUTHENTICATE_SERVER_IS_NOT_AVAILABLE); + vdcBllMessagesMap.put(ExtensionError.TIMED_OUT, VdcBllMessages.USER_FAILED_TO_AUTHENTICATE_TIMED_OUT); + vdcBllMessagesMap.put(ExtensionError.CREDENTIALS_EXPIRED, VdcBllMessages.USER_PASSWORD_EXPIRED); + + String changePasswordUrl = Config.<String> getValue(ConfigValues.ChangePasswordMsg); + String[] pairs = changePasswordUrl.split(","); + for (String pair : pairs) { + // Split the pair in such a way that if the URL contains :, it will not be split to strings + String[] pairParts = pair.split(":", 2); + if (pairParts.length >= 2) { + try { + passwordChangeMsgPerDomain.put(pairParts[0], URLDecoder.decode(pairParts[1], "UTF-8")); + } catch (UnsupportedEncodingException e) { + log.error("Eror in decoding the change password message/url. Message is: " + + e.getMessage()); + log.debug("", e); + } + } + } + + + } public LoginBaseCommand(T parameters) { super(parameters); @@ -152,15 +201,35 @@ password = curPassword; } // Perform the actual authentication: - AuthenticationResult result = passwordAuthenticator.authenticate(loginName, password); - if (!result.isSuccessful()) { + try { + if (!passwordAuthenticator.authenticate(loginName, password)) { + return false; + } + } catch (AAAExtensionException ex) { log.infoFormat( - "Can't login user \"{0}\" with authentication profile \"{1}\" because the authentication failed.", - loginName, - profileName - ); - for (String msg : result.resolveMessage()) { - getReturnValue().getCanDoActionMessages().add(msg); + "Can't login user \"{0}\" with authentication profile \"{1}\" because the authentication failed.", + loginName, + profileName); + AuditLogType auditLogType = auditLogMap.get(ex.getError()); + //if found matching audit log type, and it's not general login failure audit log (which will be logged anyway due to CommandBase.log) + if (auditLogType != null && auditLogType != AuditLogType.USER_VDC_LOGIN_FAILED) { + LdapBrokerUtils.logEventForUser(loginName, auditLogType); + } + + VdcBllMessages canDoActionMsg = vdcBllMessagesMap.get(ex.getError()); + + String passwordChangeMsg = passwordChangeMsgPerDomain.get(getParameters().getProfileName()); + getReturnValue().setSucceeded(false); + if (canDoActionMsg == VdcBllMessages.USER_PASSWORD_EXPIRED && passwordChangeMsg != null) { + if (passwordChangeMsg.indexOf("http") == 0 || passwordChangeMsg.indexOf("https") == 0) { + addCanDoActionMessage(VdcBllMessages.USER_PASSWORD_EXPIRED_CHANGE_URL_PROVIDED); + getReturnValue().getCanDoActionMessages().add(String.format("$URL %1$s", passwordChangeMsg)); + } else { + addCanDoActionMessage(VdcBllMessages.USER_PASSWORD_EXPIRED_CHANGE_MSG_PROVIDED); + getReturnValue().getCanDoActionMessages().add(String.format("$MSG %1$s", passwordChangeMsg)); + } + } else { + getReturnValue().getCanDoActionMessages().add(canDoActionMsg.name()); } return false; } diff --git a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/adbroker/GSSAPIDirContextAuthenticationStrategy.java b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/adbroker/GSSAPIDirContextAuthenticationStrategy.java index 3a642dd..7d45c01 100644 --- a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/adbroker/GSSAPIDirContextAuthenticationStrategy.java +++ b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/adbroker/GSSAPIDirContextAuthenticationStrategy.java @@ -138,9 +138,6 @@ loginContext = null; KerberosReturnCodeParser parser = new KerberosReturnCodeParser(); AuthenticationResult result = parser.parse(ex.getMessage()); - if (result.getAuditLogType() != null) { - LdapBrokerUtils.logEventForUser(userName, result.getAuditLogType()); - } log.error("Kerberos error: " + ex.getMessage()); if (log.isDebugEnabled()) { log.debug("Kerberos error stacktrace: ", ex); diff --git a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/adbroker/LdapAuthenticateUserCommand.java b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/adbroker/LdapAuthenticateUserCommand.java index 0cf0fa3..5de7334 100644 --- a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/adbroker/LdapAuthenticateUserCommand.java +++ b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/adbroker/LdapAuthenticateUserCommand.java @@ -2,12 +2,14 @@ import org.ovirt.engine.core.common.businessentities.LdapUser; -import org.ovirt.engine.core.common.errors.VdcBllMessages; import org.ovirt.engine.core.utils.kerberos.AuthenticationResult; import org.ovirt.engine.core.utils.log.Log; import org.ovirt.engine.core.utils.log.LogFactory; +import org.ovirt.engine.api.extensions.AAAExtensionException; +import org.ovirt.engine.api.extensions.AAAExtensionException.ExtensionError;; public class LdapAuthenticateUserCommand extends LdapBrokerCommandBase { + public LdapAuthenticateUserCommand(LdapUserPasswordBaseParameters parameters) { super(parameters); } @@ -53,7 +55,7 @@ queryData.getLdapQueryType().name()); setSucceeded(false); Exception ex = directorySearcher.getException(); - authResult = handleDirectorySearcherException(ex); + handleDirectorySearcherException(ex); } else { user = populateUserData((LdapUser) searchResult, getAuthenticationDomain()); if (user != null) { @@ -70,29 +72,23 @@ } if (!getSucceeded()) { - if (authResult == null) { - authResult = new UserAuthenticationResult(user, VdcBllMessages.USER_FAILED_TO_AUTHENTICATE); - } else if (authResult.getErrorMessages().isEmpty()) { - authResult.getErrorMessages().add(VdcBllMessages.USER_FAILED_TO_AUTHENTICATE); - } + throw new AAAExtensionException(ExtensionError.GENERAL_ERROR, "User failed to authenticate"); } setReturnValue(authResult); } - private UserAuthenticationResult handleDirectorySearcherException(Exception ex) { + private void handleDirectorySearcherException(Exception ex) { UserAuthenticationResult authResult = null; - VdcBllMessages errorMsg = VdcBllMessages.USER_FAILED_TO_AUTHENTICATE; + AAAExtensionException aaaException = null; if (ex instanceof AuthenticationResultException) { AuthenticationResultException authResultException = (AuthenticationResultException) ex; AuthenticationResult result = authResultException.getResult(); if (result == null) { result = AuthenticationResult.OTHER; } - errorMsg = VdcBllMessages.valueOf(result.getVdcBllMessage()); log.error(result.getDetailedMessage()); + throw authResultToExceptionMap.get(result); } - authResult = new UserAuthenticationResult(errorMsg); - return authResult; } private String constructPrincipalName(String username, String domain) { @@ -102,8 +98,7 @@ @Override protected void handleRootDSEFailure(DirectorySearcher directorySearcher) { Exception ex = directorySearcher.getException(); - UserAuthenticationResult authResult = handleDirectorySearcherException(ex); - setReturnValue(authResult); + handleDirectorySearcherException(ex); } private static Log log = LogFactory.getLog(LdapAuthenticateUserCommand.class); diff --git a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/adbroker/LdapBrokerCommandBase.java b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/adbroker/LdapBrokerCommandBase.java index 5c06e0c..ae4b18f 100644 --- a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/adbroker/LdapBrokerCommandBase.java +++ b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/adbroker/LdapBrokerCommandBase.java @@ -1,18 +1,60 @@ package org.ovirt.engine.core.bll.adbroker; import java.util.ArrayList; +import java.util.EnumMap; import java.util.HashSet; import java.util.List; import java.util.Map; +import org.ovirt.engine.api.extensions.AAAExtensionException; +import org.ovirt.engine.api.extensions.AAAExtensionException.ExtensionError; import org.ovirt.engine.core.common.businessentities.LdapGroup; import org.ovirt.engine.core.common.businessentities.LdapUser; import org.ovirt.engine.core.common.errors.VdcBllMessages; import org.ovirt.engine.core.common.utils.ExternalId; +import org.ovirt.engine.core.utils.kerberos.AuthenticationResult; import org.ovirt.engine.core.utils.log.Log; import org.ovirt.engine.core.utils.log.LogFactory; public abstract class LdapBrokerCommandBase extends BrokerCommandBase { + + protected static final EnumMap<AuthenticationResult, AAAExtensionException> authResultToExceptionMap = + new EnumMap<>(AuthenticationResult.class); + + static { + authResultToExceptionMap.put(AuthenticationResult.CANNOT_FIND_LDAP_SERVER_FOR_DOMAIN, + new AAAExtensionException(ExtensionError.SERVER_IS_NOT_AVAILABLE, "")); + authResultToExceptionMap.put(AuthenticationResult.CLIENT_NOT_FOUND_IN_KERBEROS_DATABASE, + new AAAExtensionException(ExtensionError.INCORRET_CREDENTIALS, "")); + authResultToExceptionMap.put(AuthenticationResult.CLOCK_SKEW_TOO_GREAT, + new AAAExtensionException(ExtensionError.GENERAL_ERROR, "")); + authResultToExceptionMap.put(AuthenticationResult.CONNECTION_ERROR, + new AAAExtensionException(ExtensionError.SERVER_IS_NOT_AVAILABLE, "")); + authResultToExceptionMap.put(AuthenticationResult.CONNECTION_TIMED_OUT, + new AAAExtensionException(ExtensionError.TIMED_OUT, "")); + authResultToExceptionMap.put(AuthenticationResult.DNS_COMMUNICATION_ERROR, + new AAAExtensionException(ExtensionError.SERVER_IS_NOT_AVAILABLE, "")); + authResultToExceptionMap.put(AuthenticationResult.DNS_ERROR, + new AAAExtensionException(ExtensionError.SERVER_IS_NOT_AVAILABLE, "")); + authResultToExceptionMap.put(AuthenticationResult.INTERNAL_KERBEROS_ERROR, + new AAAExtensionException(ExtensionError.GENERAL_ERROR, + "An internal error at the authentication module has ocurred")); + authResultToExceptionMap.put(AuthenticationResult.INVALID_CREDENTIALS, + new AAAExtensionException(ExtensionError.INCORRET_CREDENTIALS, "")); + authResultToExceptionMap.put(AuthenticationResult.NO_KDCS_FOUND, + new AAAExtensionException(ExtensionError.SERVER_IS_NOT_AVAILABLE, "")); + authResultToExceptionMap.put(AuthenticationResult.NO_USER_INFORMATION_WAS_FOUND_FOR_USER, + new AAAExtensionException(ExtensionError.INCORRET_CREDENTIALS, "")); + authResultToExceptionMap.put(AuthenticationResult.OTHER, + new AAAExtensionException(ExtensionError.GENERAL_ERROR, "")); + authResultToExceptionMap.put(AuthenticationResult.PASSWORD_EXPIRED, + new AAAExtensionException(ExtensionError.CREDENTIALS_EXPIRED, "")); + authResultToExceptionMap.put(AuthenticationResult.USER_ACCOUNT_DISABLED_OR_LOCKED, + new AAAExtensionException(ExtensionError.LOCKED_OR_DISABLED_ACCOUNT, "")); + authResultToExceptionMap.put(AuthenticationResult.WRONG_REALM, + new AAAExtensionException(ExtensionError.INCORRET_CREDENTIALS, "")); + } + @Override protected String getPROTOCOL() { return "LDAP://"; diff --git a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/adbroker/LdapSearchExceptionHandler.java b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/adbroker/LdapSearchExceptionHandler.java index baedb86..d3ec992 100644 --- a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/adbroker/LdapSearchExceptionHandler.java +++ b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/adbroker/LdapSearchExceptionHandler.java @@ -67,9 +67,6 @@ .setTranslatedException(new AuthenticationResultException(AuthenticationResult.USER_ACCOUNT_DISABLED_OR_LOCKED, throwable)) .setTryNextServer(false); - //Account may get locked between kerberos authentication and ldap querying. - //The audit log infrastructure prevents double logging in case the scenario in the above line does not occur (which is in most cases) - LdapBrokerUtils.logEventForUser(credentials.getUserName(), AuthenticationResult.USER_ACCOUNT_DISABLED_OR_LOCKED.getAuditLogType()); } private void handleInterruptException(LdapSearchExceptionHandlingResponse response, Throwable cause) { diff --git a/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/errors/VdcBllMessages.java b/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/errors/VdcBllMessages.java index 80f5c7a..45c8ca1 100644 --- a/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/errors/VdcBllMessages.java +++ b/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/errors/VdcBllMessages.java @@ -1,6 +1,5 @@ package org.ovirt.engine.core.common.errors; - // This enum was moved from VdcBLL public enum VdcBllMessages { Unassigned, @@ -391,6 +390,8 @@ USER_CANNOT_REMOVE_HIMSELF(ErrorType.CONFLICT), USER_FAILED_TO_AUTHENTICATE(ErrorType.NO_AUTHENTICATION), USER_FAILED_TO_AUTHENTICATE_KERBEROS_ERROR(ErrorType.NO_AUTHENTICATION), + USER_FAILED_TO_AUTHENTICATE_SERVER_IS_NOT_AVAILABLE(ErrorType.NO_AUTHENTICATION), + USER_FAILED_TO_AUTHENTICATE_TIMED_OUT(ErrorType.NO_AUTHENTICATION), USER_PASSWORD_EXPIRED(ErrorType.NO_AUTHENTICATION), USER_PASSWORD_EXPIRED_CHANGE_URL_PROVIDED(ErrorType.NO_AUTHENTICATION), USER_PASSWORD_EXPIRED_CHANGE_MSG_PROVIDED(ErrorType.NO_AUTHENTICATION), diff --git a/backend/manager/modules/dal/src/main/resources/bundles/AppErrors.properties b/backend/manager/modules/dal/src/main/resources/bundles/AppErrors.properties index fc265d4..85951b8 100644 --- a/backend/manager/modules/dal/src/main/resources/bundles/AppErrors.properties +++ b/backend/manager/modules/dal/src/main/resources/bundles/AppErrors.properties @@ -372,6 +372,8 @@ USER_CANNOT_ATTACH_TO_VM_ALREADY_ATTACHED=User is already attached to VM USER_CANNOT_ATTACH_TO_VM_NOT_ATTACHED=The user is not attached to this VM. USER_FAILED_TO_AUTHENTICATE=Login failed. Please verify your login information or contact the system administrator. +USER_FAILED_TO_AUTHENTICATE_TIMED_OUT=Login failed. A timeout has occurred to one or more of the servers that participate in the login process. +USER_FAILED_TO_AUTHENTICATE_SERVER_IS_NOT_AVAILABLE =login failed. One or more servers that are needed for completion of the login process is not available. USER_FAILED_TO_AUTHENTICATE_KERBEROS_ERROR=Login failed. Client not found in kerberos database. Please verify your login information or contact the system administrator. USER_FAILED_TO_AUTHENTICATION_WRONG_AUTHENTICATION_METHOD=Login failed (Authentication Failed).\n\ - Please verify that the correct authentication method is used in your system. diff --git a/backend/manager/modules/extensions-api-root/extensions-api/src/main/java/org/ovirt/engine/api/extensions/AAAExtensionException.java b/backend/manager/modules/extensions-api-root/extensions-api/src/main/java/org/ovirt/engine/api/extensions/AAAExtensionException.java index 3b79e78..a72f438 100644 --- a/backend/manager/modules/extensions-api-root/extensions-api/src/main/java/org/ovirt/engine/api/extensions/AAAExtensionException.java +++ b/backend/manager/modules/extensions-api-root/extensions-api/src/main/java/org/ovirt/engine/api/extensions/AAAExtensionException.java @@ -1,4 +1,4 @@ -package org.ovirt.engine.core.aaa; +package org.ovirt.engine.api.extensions; public class AAAExtensionException extends RuntimeException { diff --git a/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/kerberos/AuthenticationResult.java b/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/kerberos/AuthenticationResult.java index f125bdb..858a0d4 100644 --- a/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/kerberos/AuthenticationResult.java +++ b/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/kerberos/AuthenticationResult.java @@ -1,129 +1,85 @@ package org.ovirt.engine.core.utils.kerberos; -import org.ovirt.engine.core.common.AuditLogType; - public enum AuthenticationResult { - OK("", "", 0, AuditLogType.USER_VDC_LOGIN), + OK("", 0), INVALID_CREDENTIALS( "Authentication Failed. Please verify the username and password.", - "USER_FAILED_TO_AUTHENTICATE_WRONG_USERNAME_OR_PASSWORD", - 11, - AuditLogType.AUTH_FAILED_INVALID_CREDENTIALS), + 11), CLOCK_SKEW_TOO_GREAT( "Authentication Failed. The Engine clock is not synchronized with directory services (must be within 5" + " minutes difference). Please verify the clocks are synchronized", - "USER_FAILED_TO_AUTHENTICATE_CLOCK_SKEW_TOO_GREAT", - 12, - AuditLogType.AUTH_FAILED_CLOCK_SKEW_TOO_GREAT), + 12), NO_KDCS_FOUND( "Authentication Failed. Please verify the fully qualified domain name that is used for authentication is" + " correct.", - "USER_FAILED_TO_AUTHENTICATE_NO_KDCS_FOUND", - 13, - AuditLogType.AUTH_FAILED_NO_KDCS_FOUND), + 13), DNS_ERROR( "Authentication Failed. Error in DNS configuration. Please verify the Engine host has a valid reverse" + " DNS (PTR) record.", - "USER_FAILED_TO_AUTHENTICATE_DNS_ERROR", - 14, - AuditLogType.AUTH_FAILED_DNS_ERROR), + 14), OTHER( "Kerberos error. Please check log for further details.", - "USER_FAILED_TO_AUTHENTICATE", - 15, - AuditLogType.AUTH_FAILED_OTHER), + 15), USER_ACCOUNT_DISABLED_OR_LOCKED( "Authentication failed. The user is either locked or disabled", - "USER_FAILED_TO_AUTHENTICATE_ACCOUNT_IS_LOCKED_OR_DISABLED", - 16, - AuditLogType.USER_ACCOUNT_DISABLED_OR_LOCKED), + 16), DNS_COMMUNICATION_ERROR( "Authentication Failed. Cannot lookup DNS for SRV records. Please check your DNS configuration", - "USER_FAILED_TO_AUTHENTICATE_DNS_ERROR", - 17, - AuditLogType.AUTH_FAILED_DNS_COMMUNICATION_ERROR), + 17), CONNECTION_TIMED_OUT( "Authentication Failed. Connection to LDAP server has timed out. Please contact your system" + " administrator", - "USER_FAILED_TO_AUTHENTICATE_CONNECTION_TIMED_OUT", - 18, - AuditLogType.AUTH_FAILED_CONNECTION_TIMED_OUT), + 18), WRONG_REALM( "Authentication Failed. Wrong domain name was provided for authentication.", - "USER_FAILED_TO_AUTHENTICATE_WRONG_REALM", - 19, - AuditLogType.AUTH_FAILED_WRONG_REALM), + 19), CONNECTION_ERROR( "Connection refused or some configuration problems exist. Possible DNS error." + " Check your Kerberos and LDAP records", - "USER_FAILED_TO_AUTHENTICATE_CONNECTION_ERROR", - 20, - AuditLogType.AUTH_FAILED_CONNECTION_ERROR), + 20), CANNOT_FIND_LDAP_SERVER_FOR_DOMAIN( "Cannot find valid LDAP server for domain", - "CANNOT_FIND_LDAP_SERVER_FOR_DOMAIN", - 21, - AuditLogType.AUTH_FAILED_CANNOT_FIND_LDAP_SERVER_FOR_DOMAIN), + 21), NO_USER_INFORMATION_WAS_FOUND_FOR_USER( "No user information was found for user", - "NO_USER_INFORMATION_WAS_FOUND_FOR_USER", - 22, - AuditLogType.AUTH_FAILED_NO_USER_INFORMATION_WAS_FOUND), + 22), PASSWORD_EXPIRED( "Authentication Failed. The password has expired. Please change your password and login again.", - "USER_PASSWORD_EXPIRED", - 23, - AuditLogType.USER_ACCOUNT_PASSWORD_EXPIRED), + 23), CLIENT_NOT_FOUND_IN_KERBEROS_DATABASE( "Authentication Failed. Client not found in kerberos database.", - "USER_FAILED_TO_AUTHENTICATE_WRONG_USERNAME_OR_PASSWORD", - 24, - AuditLogType.AUTH_FAILED_CLIENT_NOT_FOUND_IN_KERBEROS_DATABASE), + 24), INTERNAL_KERBEROS_ERROR( "An internal error has ocurred in the Kerberos implementation of the Java virtual machine. This usually" + " means that the LDAP server is configured with a minimum security strength factor (minssf)" + " of 0. Change it to 1 and try again.", - "INTERNAL_KERBEROS_ERROR", - 25, - AuditLogType.AUTH_FAILED_INTERNAL_KERBEROS_ERROR); + 25); - private String vdcBllMessage; private String detailedMessage; private final int exitCode; - private AuditLogType auditLogType; - private AuthenticationResult(String detailedMsg, String vdcBllMessage, int exitCode, AuditLogType auditLogType) { + private AuthenticationResult(String detailedMsg, int exitCode) { this.detailedMessage = detailedMsg; - this.vdcBllMessage = vdcBllMessage; this.exitCode = exitCode; - this.auditLogType = auditLogType; } public String getDetailedMessage() { return detailedMessage; - } - - public AuditLogType getAuditLogType() { - return auditLogType; - } - - public String getVdcBllMessage() { - return vdcBllMessage; } public int getExitCode() { diff --git a/frontend/webadmin/modules/frontend/src/main/java/org/ovirt/engine/ui/frontend/AppErrors.java b/frontend/webadmin/modules/frontend/src/main/java/org/ovirt/engine/ui/frontend/AppErrors.java index 98b575e..30922bb 100644 --- a/frontend/webadmin/modules/frontend/src/main/java/org/ovirt/engine/ui/frontend/AppErrors.java +++ b/frontend/webadmin/modules/frontend/src/main/java/org/ovirt/engine/ui/frontend/AppErrors.java @@ -1057,6 +1057,12 @@ @DefaultStringValue("Login failed. Please verify your login information or contact the system administrator.") String USER_FAILED_TO_AUTHENTICATE(); + @DefaultStringValue("ogin failed. One or more servers that are needed for completion of the login process is not available.") + String USER_FAILED_TO_AUTHENTICATE_SERVER_IS_NOT_AVAILABLE(); + + @DefaultStringValue("Login failed. A timeout has occurred to one or more of the servers that participate in the login process.") + String USER_FAILED_TO_AUTHENTICATE_TIMED_OUT(); + @DefaultStringValue("Login failed. Client not found in kerberos database. Please verify your login information or contact the system administrator.") String USER_FAILED_TO_AUTHENTICATE_KERBEROS_ERROR(); diff --git a/frontend/webadmin/modules/userportal-gwtp/src/main/resources/org/ovirt/engine/ui/frontend/AppErrors.properties b/frontend/webadmin/modules/userportal-gwtp/src/main/resources/org/ovirt/engine/ui/frontend/AppErrors.properties index edfa57d..542016d 100644 --- a/frontend/webadmin/modules/userportal-gwtp/src/main/resources/org/ovirt/engine/ui/frontend/AppErrors.properties +++ b/frontend/webadmin/modules/userportal-gwtp/src/main/resources/org/ovirt/engine/ui/frontend/AppErrors.properties @@ -351,6 +351,8 @@ USER_CANNOT_ATTACH_TO_VM_ALREADY_ATTACHED=User is already attached to VM USER_CANNOT_ATTACH_TO_VM_NOT_ATTACHED=The user is not attached to this VM. USER_FAILED_TO_AUTHENTICATE=Login failed. Please verify your login information or contact the system administrator. +USER_FAILED_TO_AUTHENTICATE_TIMED_OUT=Login failed. A timeout has occurred to one or more of the servers that participate in the login process. +USER_FAILED_TO_AUTHENTICATE_SERVER_IS_NOT_AVAILABLE =login failed. One or more servers that are needed for completion of the login process is not available. USER_FAILED_TO_AUTHENTICATE_KERBEROS_ERROR=Login failed. Client not found in kerberos database. Please verify your login information or contact the system administrator. USER_FAILED_TO_AUTHENTICATION_WRONG_AUTHENTICATION_METHOD=Login failed (Authentication Failed).\n\ - Please verify that the correct authentication method is used in your system. diff --git a/frontend/webadmin/modules/webadmin/src/main/resources/org/ovirt/engine/ui/frontend/AppErrors.properties b/frontend/webadmin/modules/webadmin/src/main/resources/org/ovirt/engine/ui/frontend/AppErrors.properties index 60c4ecc..439ea91 100644 --- a/frontend/webadmin/modules/webadmin/src/main/resources/org/ovirt/engine/ui/frontend/AppErrors.properties +++ b/frontend/webadmin/modules/webadmin/src/main/resources/org/ovirt/engine/ui/frontend/AppErrors.properties @@ -375,6 +375,8 @@ USER_CANNOT_ATTACH_TO_VM_ALREADY_ATTACHED=User is already attached to VM USER_CANNOT_ATTACH_TO_VM_NOT_ATTACHED=The user is not attached to this VM. USER_FAILED_TO_AUTHENTICATE=Login failed. Please verify your login information or contact the system administrator. +USER_FAILED_TO_AUTHENTICATE_TIMED_OUT=Login failed. A timeout has occurred to one or more of the servers that participate in the login process. +USER_FAILED_TO_AUTHENTICATE_SERVER_IS_NOT_AVAILABLE =login failed. One or more servers that are needed for completion of the login process is not available. USER_FAILED_TO_AUTHENTICATE_KERBEROS_ERROR=Login failed. Client not found in kerberos database. Please verify your login information or contact the system administrator. USER_FAILED_TO_AUTHENTICATION_WRONG_AUTHENTICATION_METHOD=Login failed (Authentication Failed).\n\ - Please verify that the correct authentication method is used in your system. -- To view, visit http://gerrit.ovirt.org/25529 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I8b0b024d27a92f620bb60e4689264bc6b3c3eda1 Gerrit-PatchSet: 1 Gerrit-Project: ovirt-engine Gerrit-Branch: master Gerrit-Owner: Yair Zaslavsky <[email protected]> _______________________________________________ Engine-patches mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/engine-patches
